From: Peter Palfrader Date: Tue, 24 Sep 2019 21:15:01 +0000 (+0200) Subject: Create client name and secret in the fd and ship X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=33a3df4692549d1b823510f24f78f9e63794a0f4;p=mirror%2Fdsa-puppet.git Create client name and secret in the fd and ship --- diff --git a/modules/bacula/manifests/client.pp b/modules/bacula/manifests/client.pp index 6091786ff..5e7f33729 100644 --- a/modules/bacula/manifests/client.pp +++ b/modules/bacula/manifests/client.pp @@ -3,14 +3,16 @@ # this mostly configures the file daemon, but also firewall rules and # fragments to sent to the other servers. # -# @param director_server The director server that controls this client's backups -# @param storage_server The storage server to use for this client -# @param port_fd Port that bacula-fd listens on -# @param ensure present or absent +# @param director_server director server that controls this client's backups +# @param storage_server storage server to use for this client +# @param port_fd port that bacula-fd listens on +# @param client_name bacula client name for this instance +# @param ensure present or absent class bacula::client( String $director_server, String $storage_server, Integer $port_fd = 9102, + String $client_name = "${::fqdn}-fd", Enum['present', 'absent'] $ensure = defined(Class['bacula::not_a_client']) ? { true => 'absent', default => 'present' }, ) inherits bacula { $package_ensure = $ensure ? { 'present' => 'installed', 'absent' => 'purged' } @@ -18,23 +20,28 @@ class bacula::client( $service_enable = $ensure ? { 'present' => true, 'absent' => false } $reverse_ensure = $ensure ? { 'present' => 'absent', 'absent' => 'present' } + $client = $::fqdn + $client_secret = hkdf('/etc/puppet/secret', "bacula::director<->fd::${director_server}<->${client}") + if $ensure == 'present' { - @@bacula::director::client { $::fqdn: - port_fd => $port_fd, - client => $::fqdn, - tag => "bacula::to-director::${director_server}", + @@bacula::director::client { $client: + port_fd => $port_fd, + client => $client, + client_name => $client_name, + client_secret => $client_name, + tag => "bacula::to-director::${director_server}", } - @@bacula::storage::client { $::fqdn: + @@bacula::storage::client { $client: tag => "bacula::to-storage::${storage_server}", - client => $::fqdn, + client => $client, director_server => $director_server, } - @@concat::fragment { "bacula-dsa-client-list::${::fqdn}": + @@concat::fragment { "bacula-dsa-client-list::${client}": target => $bacula::bacula_dsa_client_list , content => @("EOF"), - ${::fqdn} + ${client} | EOF tag => $bacula::tag_bacula_dsa_client_list, } @@ -45,7 +52,7 @@ class bacula::client( } # get access to the storage - @@ferm::rule::simple { "bacula::fd-to-storage::${::fqdn}": + @@ferm::rule::simple { "bacula::fd-to-storage::${client}": tag => "bacula::fd-to-storage::${storage_server}", description => 'Allow bacula-fd access to the bacula-storage', chain => 'bacula-sd', diff --git a/modules/bacula/manifests/director/client.pp b/modules/bacula/manifests/director/client.pp index 0dddd271e..16ce4f546 100644 --- a/modules/bacula/manifests/director/client.pp +++ b/modules/bacula/manifests/director/client.pp @@ -2,11 +2,15 @@ # # This is stored config by a client, collected on the director # -# @param port_fd port that this node's bacula-fd is listening on -# @param client The name of the client (relevant for device names, media type names, etc.) +# @param port_fd port that this node's bacula-fd is listening on +# @param client name of the client (relevant for device names, media type names, etc.) +# @param client_name bacula client name +# @param client_secret shared secret between director and client define bacula::director::client ( Integer $port_fd, String $client = $name, + String $client_name = "${client}-fd", # XXX remove default + String $client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${client}"), # XXX remove default ) { include bacula::director @@ -14,9 +18,6 @@ define bacula::director::client ( $bacula_ssl_client_cert = $bacula::bacula_ssl_client_cert $bacula_ssl_client_key = $bacula::bacula_ssl_client_key - $client_name = "${client}-fd" - $client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${client}") - # we define this in both bacula::director::client_from_storage and # bacula::director::client and it needs to match. $pool_name = "${bacula::director::pool_name}-${client}" diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index 598bd6575..5a5959a29 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -5,14 +5,12 @@ class bacula ( String $bacula_operator_email = 'bacula-reports@admin.debian.org', String $bacula_director_name = 'debian-dir', String $bacula_storage_name = 'debian-sd', - String $bacula_client_name = "${::fqdn}-fd", String $bacula_monitor_name = 'debian-mon', String $bacula_director_address = 'dinis.debian.org', String $bacula_storage_address = 'storace.debian.org', String $bacula_db_secret = hkdf('/etc/puppet/secret', "bacula-db-${::hostname}"), - String $bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}"), String $bacula_monitor_secret = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}"), String $bacula_ca_path = '/etc/ssl/debian/certs/ca.crt', diff --git a/modules/bacula/templates/bacula-fd.conf.erb b/modules/bacula/templates/bacula-fd.conf.erb index 16a89e088..4a9bd52ca 100644 --- a/modules/bacula/templates/bacula-fd.conf.erb +++ b/modules/bacula/templates/bacula-fd.conf.erb @@ -21,7 +21,7 @@ Director { # "Global" File daemon configuration specifications FileDaemon { - Name = <%= @bacula_client_name %> + Name = <%= @client_name %> FDAddresses = { # bacula, on Debian 9 (stretch), does not resolve a single name # to both v4 and v6 addresses. Se we can't just say